Skip to main content

Text Generation Inference CVE-2026-63086

| EUVDEUVD-2026-44953 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-16 VulnCheck GHSA-c6cx-mj2w-vjcr
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Unauthenticated network SSRF with scope change; confidentiality high via cloud credential theft; no integrity or availability impact on vulnerable system.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 16:37 vuln.today
CVE Published
Jul 16, 2026 - 15:59 cve.org
MEDIUM 6.9

DescriptionCVE.org

text-generation-inference through 3.3.7 contains a server-side request forgery (SSRF) vulnerability in the OpenAI-compatible multimodal chat completions endpoint that allows unauthenticated network attackers to coerce the server into issuing arbitrary HTTP GET requests by supplying a crafted image_url value in chat message content. The fetch_image function in router/src/validation.rs performs no validation of private, loopback, link-local, or cloud metadata target addresses, and the reqwest HTTP client follows redirects by default, enabling attackers to bypass scheme checks via redirect chains to reach internal services and cloud instance-metadata endpoints for internal port scanning and credential theft.

AnalysisAI

Server-side request forgery in HuggingFace text-generation-inference through version 3.3.7 enables unauthenticated remote attackers to coerce the server into issuing arbitrary outbound HTTP GET requests via a crafted image_url value submitted to the OpenAI-compatible multimodal chat completions endpoint. The fetch_image function in router/src/validation.rs applies no destination validation, and the reqwest client's default redirect-following behavior allows attackers to chain redirects to bypass any scheme-level controls, reaching cloud instance-metadata services (e.g., AWS IMDSv1 at 169.254.169.254) to steal IAM credentials or enumerate internal port services. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted image_url in multimodal chat request
Delivery
TGI fetch_image issues outbound HTTP GET
Exploit
Attacker-controlled server issues redirect to internal target
Execution
reqwest follows redirect to cloud metadata or internal service
Impact
Extract IAM credentials or probe internal ports

Vulnerability AssessmentAI

Exploitation The OpenAI-compatible multimodal chat completions endpoint must be network-accessible to the attacker, which is default behavior when TGI is deployed as a public or semi-public inference API. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N) accurately captures the threat profile: no authentication is required, network exploitation is straightforward, but the AT:P modifier reflects that full subsequent-system impact (SC:H) depends on the TGI server's network reachability to cloud metadata endpoints or internal HTTP services. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a POST request to the TGI multimodal chat completions endpoint with a chat message containing an image_url set to an attacker-controlled server. That server responds with an HTTP 302 redirect to http://169.254.169.254/latest/meta-data/iam/security-credentials/, causing TGI's reqwest client to follow the redirect and return the AWS IAM role credentials in the server's response. …
Remediation No vendor-released patch version is independently confirmed at time of analysis - the affected CPE range covers all versions through 3.3.7 without specifying a fixed release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-63086 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy